preparing for (and surviving) a meaningful use audit · 2014. 8. 19. · •risk management next...
TRANSCRIPT
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
“Preparing For (and Surviving) a Meaningful Use Audit”
A Complimentary Webinar From healthsystemCIO.com
Sponsored by Redspin
Your Line Will Be Silent Until Our Event Begins
Thank You!
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
Housekeeping
• Moderator – Anthony Guerra, editor-in-chief, healthsystemCIO.com
• Ask A Question• We will be holding a Q&A session after the formal presentations. • You may submit your questions at any time by clicking on the QA panel located in the
lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as “All Panelists.”
• Download the Deck • Go to: http://healthsystemcio.com/presentation/muaudit-huffman-webinar.pdf• Shortened link below appears on most slides.
• View the Archive• You will receive an email when our archive recording is ready. • Separate registration is required.
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
Agenda — 45 Minutes
• 20 minutes: Steve Huffman, CIO, Beacon Health System
• 5 minutes: A Word From Our Sponsor: Dan Berger, President/CEO, Redspin
• 20 minutes: Q&A w/Steve Huffman
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
“Preparing for….(and surviving)a Meaningful Use Audit”
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
CMS
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
You should know by now…..
• Payments = audit potential (thank goodness)
• Your documentation should be kept for 6 years from attestation!
• States are auditing separately for Medicaid
• Figliozzi is the current CMS audit contractor for MU
• Assume you will be audited (more than once)
• Each payment is an audit target
• Each audit can be a bit different
• Prepare to be tired of audits
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
Pre-Audit Activity
Be ridiculously familiar with the nuances of MU
• Saying “I didn’t know” is never a good response
• Read and re-read the detail of the MU measures
• If you assign a team to lead MU, read the detail yourself
• Read the CMS Supporting Documentation for Audits material
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
Pre-Audit Activity
Assemble, Practice and Communicate
• Develop a team responsible for MU submission & audits• Our team is led by CPO & includes internal audit and specific analysts and
informatics
• Any information should be held in a KNOWN spot – someone might leave!
• Practice audits (inpatient / ambulatory / state / CMS)
• Inform your Board – usually Audit Committee
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
Pre Audit Activity
Create and maintain your MU submission documentation
(a.k.a. The Audit Book)
• Screen shots (host & receiver systems is possible)
• Reports (vendor logo?!?!?!)
• Letters (vendor certification / exchange recipients)
• Summary of any changes that occurred during reporting period
• Include latest information from your vendor related to MU detail –their reports change!
• Ask your vendor for help or examples
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
Pre Audit Activity
Risk Analysis
• Perform a risk analysis!
• Any Health System could always improve this activity!
• Budget for it – both assessment and remediation
• Our approach:• State regional extension center risk assessment• Internal major changes risk assessment • Document plan post assessment• Document progress on remediation• For the love of Pete – DOCUMENT!
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
During the Audit
• Your auditor is a real person, not the enemy
• Provide exact information requested, no more and no less
• If you need to explain, then provide a summary
• If you have questions, call the person responsible for the audit
• Test your connection to their secure site to submit documents early
• If you need more time or more info – ASK
• Communicate about the audit – be open (admin team, audit committee)
• It takes about 16 hours to go through a typical CMS audit and 32 for Medicaid
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
Post Audit Activity
• Debrief – what went well, what didn’t
• Refine your documentation
• Communicate
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
A Few Random Thoughts
• Our auditors have been tough but fair
• Risk assessments are tough – lots of scrutiny & lots of work
• Risk management next target? - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
• Information system activity review next target? - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
• Concern over MU2 audits – The level of documentation required around process – Direct messaging, visit summary and portal
Meaningful Healthcare IT Security ®
To help our clients safeguard protected health
information (PHI) from data breach and meet and
maintain regulatory compliance.
Mission Statement
www.redspin.com
Healthcare Experience
• Conducted HIPAA Security Risk Analysis at 115 hospitals
• Helps Meet Meaningful Use Stage 1 and Stage 2
• Expert Security Engineers and Compliance Professionals
• Extended Risk Analysis Scope:
- Application Risk Analysis
- Business Associates
- Mobile Devices
Meaningful Healthcare IT Security ®
Technical Services
• Penetration Testing
• Web Application Security
• HIPAA Risk Analysis
• Mobile Device Security
• Social Engineering
www.redspin.com
Meaningful Healthcare IT Security ®
www.redspin.com
Meaningful Healthcare IT Security ®
Protect electronic health information created or
maintained by the certified EHR technology (CEHRT)
through the implementation of appropriate technical
capabilities.”
- Preamble to Stage 2 CMS Final Rule;
Medicare and Medicaid Programs; Electronic
Health Record Incentive Program
Meaningful Use: Objective
www.redspin.com
Meaningful Healthcare IT Security ®
“Conduct or review a security risk analysis in accordance with
the requirements under 45 CFR 164.308 (a)(1) including
addressing the encryption/security of data stored in certified
EHR technology in accordance with requirements under 45
CFR 164.312 (a)(2)(iv) and 45 CFR 164.306 (d)(3) and
implement security updates as necessary and correct identified security deficiencies as part of the risk management process.”
www.redspin.com
Meaningful Use: Core Measure
Meaningful Healthcare IT Security ®
• CMS is auditing MU attestors (so might the OIG)
• CEHRT is not synonymous with EHR application.
• Assessing security risk to PHI must extend to networks,
hosts, applications, cloud storage, back-up, mobile devices,,
business associates, etc
• That said, don’t neglect to document all EHR security
controls
• Document your encryption strategy for data at rest
A Few Tips
www.redspin.com
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
Q&A
Click on the Q&A panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the
send to default as “All Panelists.”
Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239
Event # 667 893 764
Thank You!
• You will receive an email when our archive recording is ready. (Separate registration is required)
• Thanks to our sponsor: Redspin!
• Don’t Forget To Claim Your CHIME CHCIO Credits – Attending healthsystemCIO.com Webinars = 1 CEU
• Questions/Comments – Anthony Guerra [email protected]
Go to www.healthsystemCIO.com/webinars to view our upcoming schedule and see the last 12 months of archived events.